b'   April 24, 2006\n\n\n\n\nInformation Technology\nManagement\nReview of the Information Security\nOperational Controls of the Defense\nLogistics Agency\xe2\x80\x99s Business Systems\nModernization-Energy\n(D-2006-079)\n\n\n\n\n             Department of Defense\n            Office of Inspector General\nQuality              Integrity        Accountability\n\x0c  Additional Copies\n  To obtain additional copies of this report, visit the Web site of the Department of\n  Defense Inspector General at http://www.dodig.mil/audit/reports or contact the\n  Secondary Reports Distribution Unit, Audit Followup and Technical Support at\n  (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact Audit Followup and\n  Technical Support at (703) 604-8940 (DSN 664-8940) or fax (703) 604-8932.\n  Ideas and requests can also be mailed to:\n\n                    ODIG-AUD (ATTN: AFTS Audit Suggestions)\n                      Department of Defense Inspector General\n                        400 Army Navy Drive (Room 801)\n                            Arlington, VA 22202-4704\n\n\n\n\nAcronyms\n\nATO                   Authority To Operate\nBSM-E                 Business Systems Modernization-Energy\nC&A                   Certification and Accreditation\nCIO                   Chief Information Officer\nCOOP                  Continuity Of Operations Plan\nDESC                  Defense Energy Support Center\nDLA                   Defense Logistics Agency\nDAA                   Designated Approving Authority\nEDC                   Enterprise Data Center\nFISMA                 Federal Information Security Management Act\nFAS                   Fuels Automated System\nFES                   Fuels Enterprise Server\nIA                    Information Assurance\nIT                    Information Technology\nIATO                  Interim Authority To Operate\nMOU/A                 Memorandum Of Understanding/Agreement\nMAC                   Mission Assurance Category\nNIST                  National Institute of Standards and Technology\nOMB                   Office of Management and Budget\nPOA&M                 Plan Of Action and Milestones\nSSAA                  System Security Authorization Agreement\n\x0c\x0c               Department of Defense Office of Inspector General\nReport No. D-2006-079                                                     April 24, 2006\n  (Project No. D2005-D000AL-0158.000)\n\n       Review of the Information Security Operational Controls of\n            the Defense Logistics Agency\'s Business Systems\n                         Modernization-Energy\n\n                                Executive Summary\n\nWho Should Read This Report and Why? The DoD Chief Information Officer;\nDirector, Defense Logistics Agency; Defense Logistics Agency Chief Information\nOfficer; and Chief Information Officers of the Air Force, Army, and Naval branches of\nthe military should read this report to obtain information about Business Systems\nModernization-Energy (Fuels Automated System). This report discusses how Business\nSystems Modernization-Energy (Fuels Automated System) is managed and controlled by\nthe Defense Logistics Agency and how it is used at the base level by the Military\nServices.\n\nBackground. This report was prepared in response to the annual reporting requirements\nof the Federal Information Security Management Act of 2002. The Federal Information\nSecurity Management Act of 2002 is title III, section 301 of the E-Government Act of\n2002 (Public Law 107-347). The Federal Information Security Management Act\nprovides a comprehensive framework for ensuring the effectiveness of information\nsecurity controls, management, and oversight required to protect Federal information and\ninformation systems. In addition, the Federal Information Security Management Act\nrequires the Inspectors General of each agency to perform an independent evaluation of\nthe agency\xe2\x80\x99s information security programs and practices.\n\nThe Defense Logistics Agency supplies the nation\xe2\x80\x99s Military Services and several\ncivilian agencies with the critical resources they need to accomplish their worldwide\nmissions. The Defense Energy Support Center is the component of DLA assigned\nresponsibility for providing the DoD and other government agencies with comprehensive\nenergy solutions. The Business Systems Modernization-Energy (Fuels Automated\nSystem) supports the Defense Energy Support Center and the Military Services in\nperforming their responsibilities in fuel management and distribution. The information\nsecurity operational controls related to the Business Systems Modernization-Energy\n(Fuels Automated System) should operate effectively and provide an appropriate level of\ninformation assurance.\n\nResults. The DLA Chief Information Officer has not fully implemented information\nsecurity operational controls at the Defense Logistics Agency. Specifically, the Defense\nLogistics Agency Chief Information Officer did not:\n\n       \xe2\x80\xa2      ensure that Business Systems Modernization-Energy (Fuels Automated\n              System) was fully certified and accredited;\n\x0c       \xe2\x80\xa2       address all system security weaknesses in the plans of action and\n               milestones;\n\n       \xe2\x80\xa2       ensure that adequate user access controls were in place;\n\n       \xe2\x80\xa2       consistently provide users with annual security awareness training; and\n\n       \xe2\x80\xa2       complete and test system-wide continuity of operations plans.\n\nIn addition, weaknesses were found in the Defense Logistics Agency Management\nControl Program for the Business Systems Modernization-Energy (Fuels Automated\nSystem) certification and accreditation, user access controls, training requirements, and\ncontinuity of operations plan. As a result, the Business Systems Modernization-Energy\n(Fuels Automated System) operated with vulnerabilities that present potential risks to the\nDefense Logistics Agency and the DoD. See the Finding section of the report for the\ndetailed recommendations.\n\nManagement Comments and Audit Response. The Defense Logistics Agency Chief\nInformation Officer/Designated Approving Authority nonconcurred with twelve of the\nrecommendations and concurred with comments on four recommendations. The\ncomments stated that the Business Systems Modernization-Energy (Fuels Automated\nSystem) Base Level Support Application Type Accreditation was developed in\naccordance with DoD 8510.1-Manual, \xe2\x80\x9cDoD IT and Security Certification and\nAccreditation Process Application Manual,\xe2\x80\x9d July 31, 2000, which designates Base Level\npersonnel as the responsible source for complying with information assurance\nresponsibilities. The comments repeatedly stated that the Defense Logistics Agency is\nnot responsible for Base Level compliance with information assurance guidance. The\ncomments also state that the established Defense Logistics Agency One Book chapters\nfully address the policies required to implement and sustain an effective information\nassurance program. Additionally, the comments state that updates to the Business\nSystems Modernization-Energy (Fuels Automated System) will occur once the system\nmigrates to the Enterprise Data Center. Furthermore, the comments state that the\nprovisions within the Business Systems Modernization-Energy (Fuels Automated\nSystem) Base Level Support Application System Security Authorization Agreement are\nbinding to all organizations where the application is installed and operated.\n\nThe Defense Logistics Agency Chief Information Officer/Designated Approving\nAuthority comments were nonresponsive to fourteen recommendations and partially\nresponsive to two recommendations. The Defense Logistics Agency comments\ncontained inaccurate dates and incorrect citations of DoD policy. The Defense Logistics\nAgency is required to develop a plan of action and milestones for all programs and\nsystems where an information security weakness has been identified. The Business\nSystems Modernization-Energy (Fuels Automated System) Base Level Support\nApplication System Security Authorization Agreement should have included a statement\nthat defines the intended operating environment as well as any operating procedures\nrequired for the type accredited system. In addition, the program manager, user\nrepresentative, and information system security officer should have ensured that proper\nsecurity operating procedures, configuration guidance, and training was delivered with\nthe system. See the Finding section of the report for a discussion of management\ncomments and the Management Comments section of the report for the complete text of\nthe comments.\n\n\n\n                                            ii\n\x0cTable of Contents\n\nExecutive Summary                                                           i\n\nBackground                                                                 1\n\nObjectives                                                                 3\n\nFinding\n     Implementation of Security Operational Controls for the BSM-E (FAS)\n        System                                                             4\n\nAppendixes\n     A.   Scope and Methodology                                            24\n     B.   Prior Coverage                                                   25\n     C.   Criteria                                                         26\n     D.   Report Distribution                                              30\n\nManagement Comments\n     Defense Logistics Agency                                              33\n\x0cBackground\n           Defense Logistics Agency. The Defense Logistics Agency (DLA) supplies the\n           nation\xe2\x80\x99s military services and several civilian agencies with the critical resources\n           they need to accomplish their worldwide missions. DLA provides wide-ranging\n           logistics support for peacetime and wartime operations, as well as emergency\n           preparedness and humanitarian missions. The Defense Energy Support Center\n           (DESC) is the component of DLA assigned responsibility for providing the DoD\n           and other government agencies with comprehensive energy solutions in the most\n           effective and economical manner possible. The basic mission of DESC is to\n           support the warfighter and manage the energy sources of the future.\n\n           Business Systems Modernization-Energy (Fuels Automated System)\n           Background. The Business Systems Modernization-Energy (BSM-E) (formerly\n           the Fuels Automated System (FAS)) is categorized by the DLA as a Mission\n           Assurance Category (MAC) II 1 and is responsible for managing all DoD fuels.\n           BSM-E (FAS) supports the DESC and the Military Services in performing their\n           responsibilities in fuel management and distribution. The BSM-E (FAS) is\n           considered a multi-functional automated information system that provides point\n           of sale data collection, inventory control, finance and accounting, procurement,\n           and facilities management. The BSM-E (FAS) provides an advanced tool for\n           DESC\xe2\x80\x99s worldwide energy support mission, with five primary software programs:\n\n               \xe2\x80\xa2    Fuels Control Center;\n\n               \xe2\x80\xa2    Fuels Enterprise Server (FES);\n\n               \xe2\x80\xa2    Energy Downstream;\n\n               \xe2\x80\xa2    Oracle Government Financial; and\n\n               \xe2\x80\xa2    Management Information.\n           The BSM-E (FAS) is comprised of a Base Level system, the FES, and an\n           Enterprise Level system. The BSM-E (FAS) Base Level system consists of\n           computers loaded with Fuels Control Center software. The Base Level system\n           provides the capability to order fuel from existing contracts; document receipt of\n           fuel; document issues/sales; compare booking to physical inventory accounting;\n           and schedule quality checks and physical plant inspections. The FES is the single\n           point of entry for base level transactions. The FES receives, sorts, validates, and\n           manages data entered from the Base Level system and sends that data to the\n           Enterprise Level system. The Enterprise Level system consists of Energy\n           Downstream software, Oracle Government Financial software, Management\n\n\n1\n    Mission Assurance Category II (MAC II) systems handle information that is important to the support of\n    deployed and contingency forces. The consequences of loss of availability could include delay or cause\n    degradation in providing important support services or commodities that may seriously impact mission\n    effectiveness or operational readiness. MAC II systems require additional safeguards beyond best\n    practices to ensure assurance.\n\n\n\n                                                      1\n\x0cInformation software, and the Constellar Hub (serving as a gateway from FES to\nEnergy Downstream).\n\nThe BSM-E (FAS) is supported at three military locations: the Defense Supply\nCenter Richmond in Richmond, Virginia; the DLA Headquarters in Fort Belvoir,\nVirginia; and the Washington Navy Yard in Washington, D.C. The Defense\nSupply Center Richmond houses the primary production equipment, while the\nWashington Navy Yard/DLA hosts the alternate, test, development, and control\nsystems and provides Continuity of Operations capability. The figure below\nshows the BSM-E (FAS) data flow process.\n\n\n                                Fuels Control Center\n                                (Base Level System)\n\n\n\n                              Fuels Enterprise Server\n                                      (FES)\n\n\n\n                                     Constellar Hub\n                               Energy Downstream\n                             (Enterprise Level System)\n\n\n            Oracle Government                               Management\n                 Financial                                   Information\n         (Enterprise Level System)                    (Enterprise Level System)\n\nBSM-E (FAS) Data Flow Process\n\nGovernment Accountability Office Report 06-31. In October 2005, the\nGovernment Accountability Office issued a DLA Information Security Report\nstating that DLA had not fully implemented an agency-wide information security\nprogram to protect the information and information systems that support its\noperations and assets. Specifically, the Government Accountability Office stated\nthat DLA did not consistently assess risks for its information systems; sufficiently\ntrain employees who have significant information security responsibilities or\nadequately complete training plans; annually test and evaluate the effectiveness of\nmanagement and operational security controls; or sufficiently complete plans of\naction and milestones for mitigating known information security deficiencies.\n\n\n\n\n                                       2\n\x0cObjectives\n           The overall objective of the audit was to determine whether information security\n           operational controls operate effectively and provide an appropriate level of\n           information assurance. Specifically, during this audit we assessed the adequacy\n           and effectiveness of the security program; the implementation and effectiveness\n           of access controls; and the procedures and testing of contingency and continuity\n           of operations plans. We also reviewed the Management Control Program as it\n           related to the overall objective. See Appendix A for a discussion of audit scope\n           and methodology. See Appendix B for prior audit coverage related to the overall\n           objective. See Appendix C for information security operational controls criteria.\n\n\nManagement Control Program Review\n           DoD Directive 5010.38, \xe2\x80\x9cManagement Control Program,\xe2\x80\x9d August 16, 1996, and\n           DoD Instruction 5010.40, \xe2\x80\x9cManagement Control Program Procedures,\xe2\x80\x9d August\n           18, 1996, require DoD organizations to implement a comprehensive system of\n           management controls that provides reasonable assurance that programs are\n           operating as intended and to evaluate the adequacy of the controls.\n\n           Scope of the Review of the Management Control Program. The audit team\n           examined the DLA Management Control Program by following the procedures\n           the audit team outlined to achieve their objective. The objective was to determine\n           whether information security operational controls operate effectively and provide\n           an appropriate level of information assurance. The audit team tested the DLA\n           Management Control Program by reviewing the certification and accreditation\n           (C&A) of the system, the security program, access controls, and contingency and\n           continuity of operations plans (COOP). In addition, management\xe2\x80\x99s self-\n           evaluation of the applicable management controls was examined.\n\n           Adequacy of Management Controls. The audit team found weaknesses in the\n           DLA Management Control Program for the BSM-E (FAS) C&A, user access\n           controls, training requirements, and COOP. Specific results are in the Finding\n           section of the report. The implementation of the report recommendations will\n           correct the identified weaknesses. A copy of the final report will be provided to\n           the senior official responsible for management controls at DLA.\n\n           Adequacy of Management\xe2\x80\x99s Self-Evaluation. The audit team found\n           weaknesses with the review of the Management Control Program performed by\n           DLA. DLA conducted a review of the J6F 2 system of internal accounting and\n           administrative control. The DLA review of the integrity of the J6F information\n           systems did not recognize the risks that DLA systems face in regards to logon\n           identities and passwords, user access, and training requirements when operated at\n           non-DLA locations.\n\n\n2\n    J6 is the Information Operations organization of DLA. J6F is the Information Operations Directorate,\n    Fort Belvoir site.\n\n\n\n                                                      3\n\x0c           Implementation of Security Operational\n           Controls for the BSM-E (FAS) System\n           The DLA Chief Information Officer (CIO) has not fully implemented\n           information security operational controls at the DLA. Specifically, the\n           DLA CIO did not:\n\n               \xe2\x80\xa2   ensure that BSM-E (FAS) was fully certified and accredited;\n\n               \xe2\x80\xa2   address all system security weaknesses in the plans of action and\n                   milestones (POA&Ms);\n\n               \xe2\x80\xa2   ensure that adequate user access controls were in place;\n               \xe2\x80\xa2   consistently provide users with annual security awareness training;\n                   and\n\n               \xe2\x80\xa2   complete and test system-wide continuity of operations plans.\n\n           This occurred because DLA did not adequately assign Information\n           Assurance (IA) responsibilities and have an effective Management\n           Control Program for IA. As a result, BSM-E (FAS) operated with\n           vulnerabilities that present potential risks to the DLA and the DoD.\n\n\nFederal Information Security Management Act\n    The E-Government Act of 2002 (Public Law 107-347), title III, section 301,\n    \xe2\x80\x9cFederal Information Security Management Act of 2002,\xe2\x80\x9d provides a\n    comprehensive framework for ensuring the effectiveness of information security\n    controls, management, and oversight required to protect Federal information and\n    information systems. The Federal Information Security Management Act\n    (FISMA) requires Federal agencies to develop, document, and implement an\n    agency-wide information security program and annually report to the Office of\n    Management and Budget (OMB) and the Congress the adequacy and\n    effectiveness of information security policies, procedures, and practices. FISMA\n    requires each agency to perform annual testing and evaluation of the\n    management, operational, and technical controls and also states that each\n    agency\xe2\x80\x99s security program shall include the provision for the continuity of\n    operations for information systems that support the operations and assets of the\n    agency. In addition, the FISMA requires the Inspectors General of each agency\n    to perform an independent evaluation of the agency\xe2\x80\x99s information security\n    programs and practices.\n\n    As mandated by FISMA, Section 20 of the National Institute of Standards and\n    Technology (NIST) Act (15 U.S.C. 278g-3), was amended to insert that NIST had\n    the mission of developing standards, guidelines, and associated methods and\n    techniques for information systems. This includes minimum requirements for\n    information systems used or operated by an agency or by a contractor of an\n\n\n                                         4\n\x0c           agency or other organization on behalf of an agency, other than national security\n           systems. NIST was also assigned responsibility for developing standards and\n           guidelines, including minimum requirements, for providing adequate information\n           security for all agency operations and assets, but such standards and guidelines\n           would not apply to national security systems.\n\n\nBSM-E (FAS) Security Operational Controls\n           The DLA CIO did not fully implement information security operational controls.\n           According to the DLA One Book Policy, \xe2\x80\x9cIA Operational Controls,\xe2\x80\x9d August 19,\n           2004, the implementation of IA operational controls is necessary to ensure the\n           confidentiality, integrity, and availability of Sensitive but Unclassified and\n           classified data processed and stored by information technology (IT) systems in a\n           day-to-day operational environment.\n\n           Certification and Accreditation. DLA had not fully certified and accredited the\n           BSM-E (FAS) since 2001. In October 2003, the DLA Designated Approving\n           Authority (DAA) formally designated the BSM-E (FAS) as a MAC II Sensitive\n           System in accordance with DoD Instruction 8500.2. Additionally, the DAA\n           required that the BSM-E (FAS) System Security Authorization Agreement\n           (SSAA) be updated and completed by December 30, 2003. On July 1, 2004, the\n           DAA granted BSM-E (FAS) an Interim Authority to Operate (IATO) for\n           180 days to accomplish IA remediation actions identified in the POA&M. DLA\n           completed a new BSM-E (FAS) SSAA in October 2004; however, the DAA did\n           not issue another IATO until December 30, 2004, because an Authority to\n           Operate (ATO) could not be granted based on outstanding POA&M items. The\n           Memorandum from the DLA DAA stated that the IATO expired on June 28,\n           2005, which should have been sufficient time for J6F to resolve the existing\n           vulnerabilities and submit the necessary documentation to support an ATO.\n\n           On May 13, 2005, the DAA for BSM-E (FAS) issued an IATO Extension for\n           Applications Migrating to the Enterprise Data Center 3 (EDC). The IATO\n           Extension memorandum was created to avoid expiration of the current\n           BSM-E (FAS) IATO pending realignment of the system under the EDC SSAA.\n           Furthermore, in September 2005, the DAA signed an ATO for the BSM-E (FAS)\n           Base Level Support Application. According to NIST Special Publication 800-37,\n           security reaccreditation occurs at the discretion of the authorizing official when\n           significant changes have taken place in the information system or when a\n           specified time period has elapsed in accordance with federal or agency policy.\n           Between October 2003 and September 2005, BSM-E (FAS) underwent two major\n           system changes; becoming a MAC II Sensitive System and separating the Base\n           Level system from the rest of BSM-E (FAS), which required completion of a\n           separate C&A for the Base Level system. However, the DAA did not require the\n           completion of a full reaccreditation of the system in either of those instances.\n\n3\n    The EDC is a consolidation and outsourcing of DLA servers and database operations from the current\n    multi-distributed data center approach to a logical Data Center using a geographically dispersed data\n    center approach. These data centers are located in commercial facilities and are maintained by the\n    contractor.\n\n\n\n                                                       5\n\x0cDLA should ensure that the BSM-E (FAS) system undergoes a full\nreaccreditation to include the BSM-E (FAS) Base Level Support Application in\naccordance with DoD 8510.1-M, which states as changes to a system occur, they\nshould be reflected in the SSAA.\n\nPlans of Action and Milestones. The BSM-E (FAS) POA&M did not address\nall BSM-E (FAS) security weaknesses and was not being updated on a quarterly\nbasis. The OMB Memorandum 02-01, \xe2\x80\x9cGuidance for Preparing and Submitting\nSecurity POA&M,\xe2\x80\x9d October 17, 2001, states that the purpose of a POA&M is to\nassist agencies in identifying, assessing, prioritizing, and monitoring the progress\nof corrective efforts for security weaknesses found in programs and systems.\nAdditionally, the Memorandum states that agency officials should prepare a\nPOA&M for every system for which weaknesses were identified in security act\nreports, audits, and assessments and should submit brief status updates of their\nsystem POA&Ms to their agency CIO on a quarterly basis.\n\nAs a result of a review by the Joint Interoperability Test Command in\nSeptember 2003, DLA created the BSM-E (FAS) POA&M that included IA\nfindings from the review. However, the BSM-E (FAS) POA&M did not address\nall IA findings. For example, the Joint Interoperability Test Command Report\nstated that the documentation provided in the SSAA did not contain the\ncomprehensive elements of a system security plan that identifies the technical,\nadministrative, and procedural IA program. The report specifically stated that\nDoD Instruction 8500.2 required the following elements to be documented:\n\n   \xe2\x80\xa2   all external interfaces, the information being exchanged, and the\n       protection mechanisms associated with the interface;\n\n   \xe2\x80\xa2   user roles required for access control and the access privileges assigned to\n       each role;\n\n   \xe2\x80\xa2   unique security requirements;\n\n   \xe2\x80\xa2   categories of sensitive information processed or stored by BSM-E (FAS)\n       and their specific protection plans; and\n\n   \xe2\x80\xa2   restoration priorities of subsystems, processes, or information.\n\nAs of June 2005, the BSM-E (FAS) POA&M did not include the task of updating\nthe SSAA to reflect that documentation.\n\nAdditionally, the BSM-E (FAS) POA&M had not been updated since June 2005.\nAccording to DLA IA personnel, the POA&M will not be updated until the\nmigration of BSM-E (FAS) to EDC, tentatively scheduled for January 2006.\nHowever, since the last POA&M update in June 2005, BSM-E (FAS) underwent\na major architectural change when the Base Level system received its own\nseparate accreditation in September 2005. Therefore, DLA should update the\nBSM-E (FAS) POA&M and remove weaknesses that pertained to the Base Level\nsystem.\n\n\n\n\n                                      6\n\x0cUser Access Controls. BSM-E (FAS) user access controls needed improvement\nat DLA and the Base Level user sites. Specifically, DLA did not require all\nBSM-E (FAS) users to implement necessary access controls and was unaware of\nwho accessed BSM-E (FAS) at BSM-E (FAS) user sites. For example, DLA did\nnot have procedures for granting and removing access to Base Level and FES\nusers, completing user agreement forms at the Base Level, locking inactive\ncomputers, disabling inactive accounts, and accessing system software.\n\n        Base Level Users. The BSM-E (FAS) Base Level sites did not have user\naccess and removal procedures. The three military sites visited did not have\npolicies that outlined a process for granting access to new local area network\nusers and therefore, access to BSM-E (FAS). Although two of the three military\nsites had policies that required new local area network users to complete an initial\ncomputer test before being granted access to the local area network, there was no\nconsistency in how the three military sites granted access to new local area\nnetwork users. Also, none of the three military sites had policies that outlined the\nrequirements and duties for personnel that granted new BSM-E (FAS) users\naccount access.\n\nIn addition, two of the three military sites visited did not have policies in place to\nremove Base Level system users from the network when access was no longer\nrequired. The third military site issued general guidance but did not identify\nspecific duties. Each military site had an informal method for removing users, but\nhad not established specific policies that outlined the removal process. As of\nJanuary 2006, DLA did not know who had access to BSM-E (FAS) at the Base\nLevel.\n\n        FES Users at Military Sites. DLA did not have procedures for removing\nindividuals who no longer required access to FES at the Base Level. For\nexample, for the three military sites visited, DLA headquarters had a list of all\nFES users at those sites; however, not all of the listed individuals who had FES\naccess required FES access. Of the fifteen FES users listed at one site, three FES\nusers no longer required FES access and three other FES users could not be found\non the Global Address List. For the twenty FES users listed at the other two sites,\neach site had one person who could not be found on the Global Address List. If a\nuser was not listed in the Global Address List, it meant they no longer had a\nnetwork account at that location, and therefore, should no longer require access to\nthe FES. DESC was developing an interim policy, DESC-T Instruction-24, which\nwill outline the procedures for DESC user access to and removal from FES.\nHowever, until DESC-T Instruction-24 is approved, DESC does not have a policy\nthat outlines the process to grant or remove DESC users access to BSM-E (FAS).\n\n        User Agreement Forms. Two of the three military sites and DLA\nheadquarters require new network users to sign a User Agreement/Rules of\nBehavior document. The User Agreement/Rules of Behavior document outlines\nthe standards of conduct that the user is expected to follow. The other military\nsite did not implement or use a User Agreement/Rules of Behavior document for\nnetwork users acknowledgement and agreement. DoD Instruction 8500.2, \xe2\x80\x9cIA\nImplementation,\xe2\x80\x9d February 6, 2003, requires a set of rules that describes the\nresponsibilities and expected behavior of all personnel, including the\nconsequences for non-compliance with the rules. A signed acknowledgement of\n\n\n                                      7\n\x0cthe rules is a condition of access. Accordingly, DLA needs to direct all BSM-E\n(FAS) sites that use BSM-E (FAS) to comply with DoD Instruction 8500.2 and\nrequire users to sign a formal standardized User Agreement/Rules of Behavior\ndocument before gaining access to the system.\n\n        User Lockout. BSM-E (FAS) computers did not have a screen-lock\nfunction that prevented users access to the system after periods of inactivity.\nSpecifically, network settings on the BSM-E (FAS) computers at the three\nmilitary sites did not automatically log users off or lock them out of their\nworkstation after a period of inactivity. At one military site, a Base Level\ncomputer activated a password protected screen saver after sitting inactive for a\nperiod of time; however, the setting on the computer was manually set. At two\nother military sites, Base Level computers did not use a screensaver lockout.\nThere were no policies in place at any of the three military sites requiring a\nnetwork setting for a log off or lock out function. Network technicians at DLA\nHeadquarters stated that they had implemented a network setting that refreshes\nperiodically on all user workstations at Headquarters to activate a password\nprotected screen-saver on the user\xe2\x80\x99s workstation after a period of inactivity.\nHowever, DLA was not able to show the audit team an example of this network\nsetting. Personnel at DLA advised that the newest version of BSM-E (FAS)\n(Fuels Manager Defense 6.0) will have a feature which will automatically log\nusers out of BSM-E (FAS) after a period of inactivity, even if the user had not\nlogged off their workstation. DoD Instruction 8500.2 requires the association of a\nscreen-lock function with each workstation. The screen-lock function, when\nactivated by either a specific user action or after a specified period of workstation\ninactivity (e.g., 15 minutes), places an unclassified pattern on the screen that hides\nthe previously visible screen. Once the screen-lock function is activated, access\nto the workstation requires a unique authenticator. DLA should ensure a screen-\nlock function is installed on every workstation that runs BSM-E (FAS), as\nrequired by DoD Instruction 8500.2, because the system does not require an\nindividual log-in to gain access to the system. Without a screen-lock function,\npotentially unauthorized individuals could gain access to BSM-E (FAS) on an\nunprotected workstation connected to a network.\n\nAdditionally, at two military sites, permission settings for BSM-E (FAS) were not\nlimited to individuals who required access to BSM-E (FAS). At these two\nmilitary sites, permission settings were set to allow everybody on the base with a\nnetwork username and password to access BSM-E (FAS). When advised,\npersonnel from DESC and the site were able to change the permission settings at\none of the two locations. However, the other location still had permission settings\nthat allowed everyone with a network account to have access to BSM-E (FAS).\nDLA should require all BSM-E (FAS) Base Level sites to evaluate their network\npermission settings to ensure that only current BSM-E (FAS) users have access to\nthe system. Unnecessary or unauthorized access could pose undue risks to DoD\nsystems and information.\n\n        Inactive Accounts. Inactive accounts were not being properly removed\nfrom the network. None of the military sites visited had a policy in place\nregarding the removal of inactive accounts. Also, one military site did not scan\ntheir network for inactive accounts. Another military site scanned the network\nquarterly and deactivated inactive accounts with the permission of the inactive\n\n\n                                      8\n\x0cuser\xe2\x80\x99s manager. The third military site scanned the network for accounts that had\nbeen inactive for at least 45 days and either deleted or disabled the account with\nthe approval of the inactive user\xe2\x80\x99s manager. Any inactive account was deleted\nafter 90 days of inactivity; however, none of these functions were documented in\nformal policy. DLA should require BSM-E (FAS) Base Level sites to disable or\nremove inactive accounts so there is no way for users to gain unauthorized access.\n\nDLA is in the process of implementing a new process for handling inactive\naccounts on the DLA network. DLA plans to conduct monthly network scans to\ndetect accounts that have been inactive for 90 days, which will then be\ndeactivated. After 6 months of inactivity, the user\xe2\x80\x99s account will be archived and\nno longer accessible. Prior to this change, DLA only performed networks scans\nevery 6 months. Although DLA\xe2\x80\x99s new process increases the number of scans for\ninactive accounts, the procedures do not meet One Book requirements. The DLA\nOne Book, \xe2\x80\x9cInformation Assurance Operational Controls,\xe2\x80\x9d August 19, 2004,\nstates that user accounts which exceed 30 days of inactivity will be disabled.\nDLA should ensure that inactive accounts are being disabled in accordance with\nthe One Book policy.\n\n        Access to System Software. Critical software for BSM-E (FAS) must be\nkept safeguarded. The BSM-E (FAS) software has been well protected at DLA\nheadquarters. While two of the three military sites visited stored the BSM-E\n(FAS) software disk in a locked location, the third military site stored the system\nsoftware disk next to the computer in an unlocked container. Additionally, none\nof the three military sites stored the critical software in a fireproof container or at\na separate location, as outlined in DoD Instruction 8500.2. DLA should ensure\nthe BSM-E (FAS) software is stored at a separate location and in an appropriate\ncontainer.\n\nAnnual Security Awareness Training. The BSM-E (FAS) users were not\nconsistently provided annual security awareness training or required privileged\nuser training. As required by DoD Directive 8570.1, \xe2\x80\x9cInformation Assurance,\nTraining, Certification, and Workforce Management,\xe2\x80\x9d August 15, 2004, all users\nof DoD information systems shall receive initial IA awareness and annual IA\nrefresher awareness training. Additionally, all privileged users shall be fully\nqualified, trained, and certified to DoD baseline requirements to perform their IA\nduties. The FISMA also requires all DoD Components to report training\ninformation annually to the OMB and Congress.\n\nRequired annual IA security awareness training was not being enforced. Based\non a judgmental sample of users at each location visited, only one of the four\nsites, including DLA Headquarters, had updated their annual IA security\nawareness training for FY 2005. All three Base Level users at one military site\ncompleted their IA security awareness training. At the second military site, 23 of\n36 Base Level users completed their required annual IA security awareness\ntraining. At the third military site, none of the three Base Level users completed\ntheir required annual IA security awareness training. Based on a judgmental\nsample of 20 of the 170 FES users at DLA headquarters, only 1 of the 20 people\nsampled completed their FY 2005 IA security awareness training as of\nOctober 13, 2005.\n\n\n\n                                       9\n\x0c           DLA did not track users with significant security responsibilities at the Base\n           Level or whether those users had been properly trained. At each of the three\n           military sites visited, there was one individual with significant security\n           responsibilities who could make network and BSM-E (FAS) system changes.\n           One of the three military sites had a checklist of training requirements for the\n           position. Another of the three military sites had a one course minimum\n           completion requirement for the individual to achieve their position. The third\n           military site had no training requirements outlined for the individual with\n           significant security responsibilities. DLA currently does not have a training plan\n           in place that requires training for individuals with significant security\n           responsibilities. However, DLA personnel reported that there is a Statement of\n           Work in place with a contractor to develop an IT and IA Professional\n           Development Plan which will outline required training, tasks, and skills for each\n           job function at DLA.\n\n           Continuity of Operations Plans. DLA had not updated or tested the\n           BSM-E (FAS) COOP since October 2004. According to DLA personnel, there\n           are no plans to update or test the BSM-E (FAS) COOP until the system migrates\n           to the EDC. DLA considers the migration of BSM-E (FAS) to EDC the next\n           COOP test. However, since the last BSM-E (FAS) COOP test date occurred in\n           October 2004 and the movement of BSM-E (FAS) to the EDC had a variable date\n           of January 2006, DLA did not comply with the annual COOP test policy, as\n           specified in the DLA One Book chapter, \xe2\x80\x9cIT COOP Planning,\xe2\x80\x9d dated January 28,\n           2003. In addition, DLA did not know whether there was proper creation and\n           storing of backup data or whether recovery procedures existed at the Base Level.\n\n                  Update to COOP. DLA had not recently updated the BSM-E (FAS)\n           COOP. The most recent version of the system COOP was dated October 2004,\n           while the overall SSAA was last updated on April 27, 2005. As a result, there\n           were discrepancies between the BSM-E (FAS) COOP and the SSAA. The\n           Management Information software, one of the five primary software programs\n           that make up the system, was not included in the COOP documentation.\n           Additionally, the COOP contained an inaccurate Alternate Site point of contact\n           list. DLA should review and update the BSM-E (FAS) COOP to correct its\n           inconsistencies with the BSM-E (FAS) SSAA.\n\n                    Testing of COOP. DLA had not recently tested the BSM-E (FAS)\n           COOP. DLA had performed extensive two day COOP tests each year; however,\n           the last test occurred in October 2004. DLA had developed an efficient and\n           effective mirrored COOP site 4 for BSM-E (FAS). However, because DLA\n           delayed the migration date of BSM-E (FAS) to the EDC numerous times, DLA\n           did not know when the next COOP test of BMS-E (FAS) would take place;\n           therefore, DLA was not compliant with their own COOP testing policy, which\n           requires all IT COOP Plan processes to be tested annually. In addition, since the\n           Base Level portion of BSM-E (FAS) did not have its own COOP, a Memorandum\n\n\n4\n    NIST Special Publication 800-34 states that mirrored sites are fully redundant facilities with full, real-\n    time information mirroring, and are identical to the primary site in all technical respects. These sites\n    provide the highest degree of availability because the data is processed and stored at the primary and\n    alternate site simultaneously.\n\n\n\n                                                        10\n\x0c           of Understanding/Agreement (MOU/A) should be in place between DLA and the\n           Services stating that COOP testing of the system was the responsibility of DLA.\n\n                   Backup and Recovery Procedures. DLA did not know if there was\n           proper creation and storage of backup data for the Base Level system. At one of\n           the three sites visited, the daily, weekly, and monthly backups of the fuels data\n           were located in a small diskette box next to the main Base Level system computer\n           terminal. According to the DESC Interim Procedures for Retention and Backup\n           of Base Level Fuels Data, dated September 12, 2005, copies of the current daily\n           and weekly Base Level system fuels data backup CDs/tapes should be stored in a\n           suitable container at a location geographically separated from the Base Level\n           system computer terminal. As of April 2006, there is no requirement for the\n           Military Sites operating the Base Level system to adhere to DLA guidance, and\n           therefore, the DESC Procedures are only used as a best practice at the Base Level.\n           The DLA One Book Chapter, \xe2\x80\x9cIA Operational Controls, dated August 19, 2004,\n           states that audit records for MAC II IT systems should be backed up daily. The\n           One Book Chapter, \xe2\x80\x9cIT COOP Planning,\xe2\x80\x9d also maintains that DLA should\n           regularly perform data backups to avoid data loss and store current and archived\n           backup data offsite.\n\n           Additionally, DLA did not efficiently provide updates of the DESC Interim\n           Procedures for Retention and Backup of Base Level Fuels Data to the Base Level\n           fuels personnel. One of the three sites visited used a version of the DESC\n           Procedures that was over one year old. Updated versions of these procedures\n           were placed on the DESC website; however, the Base Level users were not\n           notified when those updates occurred. NIST Special Publication 800-18 states\n           that backup procedures should be followed to ensure an application continues to\n           be processed if the IT system becomes unavailable; backups should discuss\n           frequency and scope of backing up data. DLA should notify the Base Level users\n           when updates to the DESC Procedures occur to ensure the proper backup\n           guidelines are being followed.\n\n           BSM-E (FAS) recovery procedures did not exist at the Base Level. None of the\n           three sites visited had a formal contingency/recovery plan for BSM-E (FAS).\n           Two of the sites did not have an established alternate processing facility for the\n           Base Level system. DLA representatives explained that sites using BSM-E (FAS)\n           are not required to develop a separate contingency/recovery plan for the Base\n           Level system, even though one site did take responsibility to further secure the\n           application. DLA and Base Level fuels personnel stated that the Base Level users\n           will call the DESC Help Desk 5 with any questions or concerns about the Base\n           Level system, even though there is no formal documentation telling them to do so.\n           For example, the Base Level fuels personnel at one of the three sites visited\n           encountered computer problems, which consisted of the two Base Level system\n           computers randomly restarting. According to the Base Level fuels personnel, this\n           was a reoccurring problem; however, no previous effort had been made to contact\n           the DESC Help Desk to correct the problem. DLA should develop a MOU/A\n           between DLA and the Services to ensure that Base Level system procedures for\n           the Base Level system users are followed. Without an MOU/A between DLA and\n\n5\n    The DESC Help Desk is the primary source for reporting problems and obtaining assistance for problems\n    related to DESC applications.\n\n\n\n                                                    11\n\x0c    the Services, it is unclear who is responsible for recovery procedures at the Base\n    Level.\n\n\nOversight of Information Assurance\n    The DLA One Book serves as the single authorized repository for Agency\n    policies, processes, and procedures, and provides a mechanism for knowledge\n    sharing within the Agency. Additionally, DLA determined that the One Book\n    should be a major initiative in the internal process arena. By documenting its\n    processes in the One Book, DLA wanted to achieve process management,\n    improvement, and excellence. According to DLA, process documentation should\n    be the foundation for having repeatable processes, for managing processes, and\n    for having a baseline to improve upon.\n\n    IA Roles and Responsibilities. The DLA had not adequately defined processes\n    and procedures in the One Book for ensuring that IA responsibilities were\n    fulfilled. According to the DLA One Book Chapter, \xe2\x80\x9cInformation Assurance (IA)\n    Management Controls,\xe2\x80\x9d dated August 2, 2004, the Chief of IA will develop DLA\n    IA policies and guidelines and ensure Agency compliance. However, there has\n    been no additional guidance issued by the Chief of IA with regards to information\n    assurance responsibilities. In addition, the One Book policy needs updating to\n    reflect the current organizational structure that the Chief of IA oversees.\n\n             Management Control Program. The DLA One Book assigns\n    responsibilities to the DAA, the Chief of IA, the Program Manager or System\n    Manager, the IA Manager, and the IA Officer. However, DLA has not instituted\n    an effective Management Control Program to ensure personnel in each of those\n    positions are completing their assigned responsibilities. Specifically regarding\n    BSM-E (FAS), IA roles and responsibilities for the C&A of BSM-E (FAS) have\n    not been clearly defined within the SSAA. Each BSM-E (FAS) Base Level\n    operating location handles the BSM-E (FAS) user access controls differently.\n    The current management of workstation settings, the removal of users and\n    inactive accounts, access to software, and the training and documentation of\n    qualified users puts BSM-E (FAS) information at risk of being accessed by non-\n    authorized personnel. Additionally, there are no clearly defined roles at the Base\n    Level for the continuity of system operations should the system fail. The DoD\n    Instruction 8500.2 requires that information ownership responsibilities are\n    established and that persons in those positions are held accountable for their\n    assigned responsibilities. The DLA should create a control objective that ensures\n    all parties responsible for the certification and accreditation of a system are\n    completing the appropriate tasks efficiently and effectively.\n\n    The DLA\xe2\x80\x99s current assessment of its management controls includes an evaluation\n    of the integrity of its automated information systems. According to DLA, users\n    must have a logon identity and password for access to an information system.\n    Currently, when accessing BSM-E (FAS) at the Base Level, a logon identity and\n    password is not needed once a user is logged on to the site\xe2\x80\x99s local area network.\n    With the full implementation of Fuels Manager Defense 6.0, all BSM-E (FAS)\n\n\n\n                                        12\n\x0cusers will be required to log into the Base Level portion of the system using an\nadditional assigned logon identity and password.\n\nDLA headquarters does not track who has access to BSM-E (FAS) at non-DLA\nlocations. The J6F grants access to all FES users at DLA headquarters; however,\nonce the FES users have access, DLA no longer consistently monitors the users.\nIn addition, DESC does not monitor who has access to BSM-E (FAS) at the Base\nLevel. Therefore, it is inaccurate for the J6F to report that the combination of a\nDESC login ID and secure passwords will prevent all unauthorized users from\naccessing the system. DLA does not know if users are denied system access\nwhen they no longer require access to BSM-E (FAS). As a result, the DLA\nvaluation of the integrity of its Automated Information Systems is inadequate.\n\nThe J6F Management Control Program assessment reports that DLA performs\nbiannual training of assigned functional area security personnel. However, DLA\ncurrently does not have a personnel training policy in place and is developing an\nIT and IA Professional Development Plan, which will outline training, skills, and\ntasks for all job functions at DLA.\n\n        Memorandum of Understanding/Agreements. The OMB\nCircular A-130, Appendix III requires that a system that interconnects with\nanother system and shares information must have a system security plan that\nestablishes controls consistent with the rules of the system and that are in\naccordance with guidance from NIST. Additionally, Appendix III requires\nagencies to obtain written management authorization before connecting their IT\nsystems to other systems, based on an acceptable level of risk. NIST Special\nPublication 800-47, \xe2\x80\x9cSecurity Guide for Interconnecting IT Systems,\xe2\x80\x9d dated\nAugust 2002, states that a system interconnection is defined as the direct\nconnection of two or more IT systems for the purpose of sharing data and other\ninformation resources. According to NIST Special Publication 800-47, an\norganization that owns and operates a connected IT system should develop an\nInterconnection Security Agreement to document the technical requirements of\nthe interconnection. A MOU/A should also be created that defines the\nresponsibilities of the participating organizations.\n\nDLA does not have an Interconnection Security Agreement or an MOU/A with\nthe Services that allows the BSM-E (FAS) Base Level system to reside and\noperate on their local area networks; however, BSM-E (FAS) personnel have\nentrusted Service personnel to ensure operational controls are in place for BSM-E\n(FAS) at the Base Level. The DLA One Book does not address the completion of\nan Interconnection Security Agreement or an MOU/A in any of its policies on IA.\nIn addition, the management control assessment of the integrity of information\nsystems does not include a determination as to whether appropriate MOU/As are\nin place with Military Components that are operating DESC systems on their\nlocal area networks, as is the case with BSM-E (FAS).\n\n\n\n\n                                    13\n\x0cConclusion\n    BSM-E (FAS) is operating with vulnerabilities that present potential risks to the\n    DLA and the DoD. Because BSM-E (FAS) is operating at non-DLA sites, the\n    Agency should have an MOU/A with all the sites operating their system. The\n    MOU/A should clearly delineate security safeguard responsibilities including the\n    C&A of the Base Level sites and the local area networks that BSM-E (FAS) is\n    operating on. Without a clearly defined agreement between the two organizations\n    that own and operate the interconnected BSM-E (FAS) and the local area\n    network, it is unclear what party should be establishing, operating, and securing\n    the interconnection.\n\n    Additionally, the information being reported between DLA and the military\n    services cannot be considered completely reliable while there is a risk of\n    unauthorized access. Until DLA develops MOU/As that specifically outline the\n    IA roles and responsibilities of DLA and the military services, BSM-E (FAS)\n    information will be at risk and will not be secured to the fullest extent possible.\n\n    If BSM-E (FAS) users are not consistently provided annual security awareness\n    training or required privileged user training, those individuals could either\n    knowingly or inadvertently introduce security vulnerabilities into DoD networks.\n    If personnel are not adequately informed of applicable organizational policy and\n    procedures, they cannot be expected to effectively secure computer resources. In\n    addition, if DLA does not have an accurate method to track who has received\n    annual security awareness training, the agency is unable to know which\n    employees could pose a serious threat to the security of their computer resources.\n\n    Without annual COOP testing, DLA cannot provide adequate assurance that the\n    BSM-E (FAS), a MAC II system, will be able to recover from a system failure.\n    The consequences of a system failure could delay or result in degradation of\n    important support services or commodities that may seriously impact DoD\n    mission effectiveness or operational readiness. Furthermore, without an MOU/A,\n    there are no clearly defined responsibilities at the BSM-E (FAS) Base Level\n    regarding the backup and recovery of the system, should a failure occur.\n\n\nRecommendations, Management Comments, and Audit\n  Response\n    1. We recommend that the Director, Defense Logistics Agency:\n\n           a. Require the Defense Logistics Agency Chief Information\n    Officer/Designated Approving Authority to:\n\n                 (1) Ensure the Business Systems Modernization-Energy (Fuels\n    Automated System) completes a full certification and accreditation to include\n    the Base Level Support Application;\n\n\n\n\n                                         14\n\x0cManagement Comments. The DLA CIO nonconcurred and stated that the DLA\nCIO/DAA has already accredited the BSM-E (FAS). The original BSM-E (FAS)\nATO was issued on December 30, 2004, with an expiration date of June 28, 2007.\nThe BSM-E (FAS) Base Level Support Application received a separate ATO on\nSeptember 21, 2005, to support a Type Accreditation that expires on\nSeptember 12, 2008.\n\nAudit Response. The DLA CIO comments were nonresponsive. On\nDecember 30, 2004, the BSM-E (FAS) received an IATO, which expired on\nJune 28, 2005. The initially requested ATO could not be granted based on\noutstanding IA items within the POA&M. Therefore, the BSM-E (FAS) has not\nbeen fully certified and accredited since 2001. In addition, on May 13, 2005, the\nDLA CIO/DAA issued an \xe2\x80\x9cInterim Approval to Operate Extensions for\nApplications Migrating to the Enterprise Data Center\xe2\x80\x9d pending the realignment of\nBSM-E (FAS) under the EDC. However, DLA has not determined when the\nmigration to the EDC will occur. We request that DLA provide additional\ncomments on the report.\n\n              (2) Develop information assurance policies and guidelines as\nrequired by the Defense Logistics Agency One Book; and\n\nManagement Comments. The DLA CIO nonconcurred and stated that the DLA\nCIO/DAA has published five One Book chapters to facilitate DLA\xe2\x80\x99s\nimplementation of DoD IA requirements. The requirements included within these\nOne Book chapters fully address the policies required to implement and sustain an\neffective IA Program.\n\nAudit Response. The DLA CIO comments were nonresponsive. The DLA One\nBook chapter, \xe2\x80\x9cInformation Assurance Management Controls,\xe2\x80\x9d established the IA\npolicy, requirements, and processes to implement, manage, and sustain an\neffective DLA IA program. The measurable output of this process is the\nimplementation of a DLA IA program to ensure the confidentiality, integrity,\navailability, and non-repudiation of Sensitive But Unclassified and classified data\nprocessed and stored by IT systems. However, DLA has not effectively ensured\nthe confidentiality, integrity, and availability of the information contained in\nsystems that have received a type accreditation such as the BSM-E (FAS). (See\nAudit Response to Recommendation 1.a.3. below.) In addition, two of the five\nDLA One Book chapters referred to by DLA discuss the Chief of IA as part of the\nJ-633 organization, which no longer exists in DLA. We request that DLA provide\nadditional comments on the implementation and management of their IA\nprogram.\n\n             (3) Create a management control program that ensures\ncompliance with all DoD and agency information assurance policies and\nguidelines.\n\nManagement Comments. The DLA CIO nonconcurred and stated that DLA has\nan effective IA management control program in place to ensure compliance with\nIA policies and guidelines. The IA Management Control One Book Chapter\nestablishes responsibility for ensuring IA requirements are enforced by\nappropriate levels throughout the DLA organization. Also, IA Performance\n\n\n                                    15\n\x0cReviews are performed on a continuous basis to provide an independent\nassessment of the IA program implementation across the Agency. In addition,\nDLA commented that the Agency is not responsible for ensuring that Military\nService personnel comply with DoD IA requirements. The BSM-E (FAS) Base\nLevel Support Application Type Accreditation delineates Military Service\npersonnel IA responsibilities and DLA does not have enforcement authority or\nresponsibility for ensuring their compliance.\n\nAudit Response. The DLA CIO comments were nonresponsive. DLA did not\nprovide evidence that they conducted and completed IA Performance Reviews\nthat provided an independent assessment of the IA program implementation\nacross the Agency. Additionally, according to DoD 8510.1-M, an SSAA should\nbe prepared for the system software and hardware considered under a type\naccreditation. The SSAA should be shipped to each prospective installation site\nwith the software and hardware, where the site manager will receive confirmation\nand documentation of the C&A results and the equipment included in the SSAA.\nAfter installation of the information system, the type SSAA should be included in\nthe network or site SSAA. However, DLA was unaware that the BSM-E (FAS)\nSSAA was not included in Base Level network SSAAs. Further, DoD 8510.1-M\nstates that the information system facility and equipment must be under the\ncontrol of the DAA. Any facility or equipment that is not considered or is not\nunder the control of the DAA should be considered as an external interface. A\ndescription of the system\xe2\x80\x99s external interfaces should include the purpose of each\nexternal interface and the relationship between the interface and the system. The\nBSM-E (FAS) SSAA did not identify any external interfaces. We request that\nDLA provide the IA Performance Reviews that provide an independent\nassessment of the IA Program implementation across the Agency. We also\nrequest that DLA provide additional comments on the report.\n\n       b. Develop a Defense Logistics Agency plan of action and milestones\npertaining to the significant management control weaknesses identified in\n1.a. above and continue to report progress on corrective action to the\nAssistant Secretary of Defense for Networks and Information Integration on\na quarterly basis, beginning March 2006, until all corrective actions are\ncompleted and verified, as required by the Federal Information Security\nManagement Act.\n\nManagement Comments. The DLA CIO nonconcurred and stated that\nadditional IA management controls are not required; therefore, there is no need to\nestablish a POA&M or report on the implementation of controls that are currently\nin place.\n\nAudit Response. The DLA CIO comments were nonresponsive. See Audit\nResponse to Recommendation 1.a. above. According to the OMB Memorandum\n05-15, \xe2\x80\x9cFY 2005 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management,\xe2\x80\x9d June 13, 2005, program\nofficials should develop a POA&M for all systems when an IT security weakness\nhas been identified. The guidance directs CIOs and agency program officials to\ndevelop, implement, and manage an agency-wide POA&M process and\nincorporate all known IT security weaknesses associated with information\nsystems used or operated by the agency. A status update of the system\n\n\n                                    16\n\x0cperformance metric must be submitted quarterly to OMB. The agency CIO\ncentrally tracks, maintains, and reviews POA&M activities on at least a quarterly\nbasis. In addition, OMB Memorandum 05-15 states that all agencies must\nimplement the requirements of FISMA and report annually to OMB and Congress\non the effectiveness of their security programs. We request that DLA provide\nadditional comments on the report.\n\n2. We recommend the Defense Logistics Agency Chief Information\nOfficer/Designated Approving Authority:\n\n       a. Require the Information Operations Directorate, Fort Belvoir site,\nno later than May 2006, to:\n\n             (1) Update the Business Systems Modernization-Energy (Fuels\nAutomated System) plan of action and milestones to include all security\nweaknesses based on the current system configuration;\n\nManagement Comments. The DLA CIO concurred and stated that corrective\nactions for the BSM-E (FAS) Base Level Support Application security\nvulnerabilities have been completed as part of Version 2.0 and are currently\nundergoing testing. An ATO to support Type Accreditation of Version 2.0 will\nbe granted upon successful completion of this testing.\n\nAudit Response. Although DLA concurred, we consider the DLA CIO\ncomments nonresponsive because DLA referenced an outdated POA&M and did\nnot discuss the most current version of the POA&M, dated June 2005, which was\nprovided to the audit team during the audit. We request that DLA provide an\nupdated POA&M that specifically details the corrective actions that have\noccurred on the ten deficiencies identified in the June 2005 POA&M. In addition,\nthe updated POA&M should include all other outstanding deficiencies, corrective\nactions planned, and the expected date of the corrective actions.\n\n             (2) Create formal procedures for granting of access and\nremoval of Business Systems Modernization-Energy (Fuels Automated\nSystem) Base Level users and Fuels Enterprise Server users at the Base\nLevel;\n\nManagement Comments. The DLA CIO concurred and stated that the DLA\nCIO/DAA will direct J6F to take actions to implement appropriate measures for\ngranting user access to the FES. However, J6F is not responsible for ensuring\nimplementation of appropriate measures for granting user access to the BSM-E\n(FAS) Base Level Support Application. Under provisions within the Type\nAccreditation, this responsibility rests with the respective operational\norganizations as stipulated in BSM-E (FAS) Base Level Support Application\nSSAA.\n\nAudit Response. Although the DLA CIO concurred with regard to FES users,\nwe consider the comments regarding Base Level BSM-E (FAS) users\nnonresponsive. According to DoD 8510.1-M, the type accreditation SSAA must\nclearly define the system operating environment. The BSM-E (FAS) Base Level\nSupport Application ATO, signed by the DAA, should have included a statement\n\n\n                                   17\n\x0cthat the system was granted a type accreditation and that the operators assume the\nresponsibility to monitor the operational environment for compliance with that\nenvironment as described in the accreditation documentation. However, it did\nnot. Additionally, DoD 8510.1-M requires the program manager, user\nrepresentative, and information system security officer to ensure proper security\noperating procedures, configuration guidance, and training is delivered with the\nsystem. However, DLA did not develop or provide specific guidance to the Base\nLevel system personnel regarding the granting of access and removal of BSM-E\n(FAS) Base Level users and FES users at the Base Level. We request DLA\nprovide additional comments on the report.\n\n             (3) Create a formal and standard User Agreement/Rules of\nBehavior document before allowing access to Business Systems\nModernization-Energy (Fuels Automated System);\n\nManagement Comments. The DLA CIO nonconcurred and stated that the IA\nRules of Behavior Process One Book Chapter includes appropriate agreements for\ndifferent levels of DLA system users, who are required to sign the agreement\nacknowledging receipt and understanding prior to being granted system access.\nThe DLA CIO/DAA will continue to emphasize compliance with the One Book\nChapter for all Fuels Enterprise Server users. However, DLA is not responsible\nfor ensuring that Military Service personnel comply with DLA policy for granting\naccess to the BSM-E (FAS) Base Level Support Application.\n\nAudit Response. The DLA CIO comments were nonresponsive. There are FES\nusers at the Base Level; therefore, those FES users must follow the DLA IA Rules\nof Behavior Process One Book Chapter. DLA is responsible for ensuring the FES\nusers at the Base Level comply with the DLA policy for granting access to\nBSM-E (FAS). In order for DLA to ensure FES user compliance with the One\nBook policies, an MOU/A needs to be created and implemented between DLA\nand the Services. OMB Memorandum 05-15 states that for non-national security\nprograms and systems, agencies must follow NIST standards and guidelines.\nAccording to NIST SP 800-47, federal agencies must establish interconnection\nagreements. Also, OMB Circular A-130, Appendix III, requires agencies to\nobtain written management authorization before connecting their IT systems to\nother systems, based on an acceptable level of risk. The written authorization\nshould define the rules of behavior and controls that must be maintained for the\nsystem interconnection and it should be included in the organization\xe2\x80\x99s system\nsecurity plan. Additionally, NIST SP 800-47 states that an MOU/A defines the\npurpose of the interconnection; identifies relevant authorities; specifies the\nresponsibilities of both organizations; and defines the terms of agreement.\nTherefore, DLA must create an MOU/A with the Services operating BSM-E\n(FAS) in order to establish responsibility and define the rules of behavior for\nBSM-E (FAS) Base Level users. We request that DLA provide additional\ncomments on the report.\n\n              (4) Update the Business Systems Modernization-Energy (Fuels\nAutomated System) continuity of operations plan to correct inconsistencies\nwith the Business Systems Modernization-Energy (Fuels Automated System)\nSystem Security Authorization Agreement; and\n\n\n\n                                    18\n\x0cManagement Comments. The DLA CIO concurred and stated that the BSM-E\n(FAS) application is currently in the process of transitioning to the DLA EDC.\nAs a result of this transition, the current BSM-E (FAS) COOP is being updated\nfor integration into the new DLA EDC computing environment. Finalization of\nthis COOP update and associated testing are contingent upon completion of the\nBSM-E (FAS) application migration activities.\n\nAudit Response. Although the DLA CIO concurred, we consider the comments\npartially responsive. DLA does not have a specific date as to when BSM-E (FAS)\nwill migrate to the EDC; therefore, there is no definitive date for updating the\nBSM-E (FAS) COOP, which was last updated in October 2004. The date of the\nEDC transition has changed numerous times since October 2005 and DLA is\nunable to determine when the migration will occur. We recommend that the\nCIO/DAA require the Information Operations Directorate, Fort Belvoir (J6F) to\nestablish a realistic date for the BSM-E (FAS) migration to the EDC and update\nthe COOP to be in adherence with the BSM-E (FAS) SSAA. We request that\nDLA provide additional comments to this report.\n\n              (5) Perform a complete test of the continuity of operations\nplan for Business Systems Modernization-Energy (Fuels Automated System).\n\nManagement Comments. The DLA CIO concurred and stated that the BSM-E\n(FAS) application is currently in the process of transitioning to the DLA EDC.\nAs a result of this transition, the current BSM-E (FAS) COOP is being updated\nfor integration into the new DLA EDC computing environment. Finalization of\nthis COOP update and associated testing are contingent upon completion of the\nBSM-E (FAS) application migration activities.\n\nAudit Response. Although the DLA CIO concurred, we consider the comments\nonly partially responsive. DLA does not have a specific date as to when BSM-E\n(FAS) will migrate to the EDC; therefore, there is no definitive date for testing\nthe BSM-E (FAS) COOP. The date of the transition to the EDC has changed\nnumerous times since October 2005 and DLA is unable to determine when the\nmigration will occur. We recommend that the CIO/DAA require the Information\nOperations Directorate, Fort Belvoir (J6F) to establish a realistic date for the\nBSM-E (FAS) migration to the EDC and perform a complete test of the COOP.\n\n3. We recommend the Information Operations Directorate, Fort Belvoir, no\nlater than May 2006, create a Memorandum of Understanding/Agreement\nwith the Business Systems Modernization-Energy (Fuels Automated System)\nBase Level user sites that defines the responsibilities for:\n\n       a. Ensuring a screen-lock function is installed on every workstation\nthat runs Business Systems Modernization-Energy (Fuels Automated\nSystem).\n\nManagement Comments. The DLA CIO nonconcurred and stated that they have\nincluded the appropriate IA operational requirements within the BSM-E (FAS)\nBase Level Support Application SSAA in accordance with the provisions of DoD\n8510.1-M, paragraph C3.3.5, for Type Accreditation. The SSAA supporting\nType Accreditation eliminates the need for a separate MOU/A between DLA and\n\n\n                                    19\n\x0cBSM-E (FAS) Base Level user sites. The provisions within the BSM-E (FAS)\nBase Level Support Application SSAA are binding on all organizations where the\napplication is installed and operated. Military Service organization can opt to\nseparately accredit the BSM-E (FAS) Base Level Support Application if they\nchoose not to comply with the Type Accreditation requirements.\n\nAudit Response. The DLA CIO comments were nonresponsive. According to\nOMB Memorandum 05-15, agencies must follow NIST standards and guidelines\nfor non-national security programs and systems. Therefore, according to NIST\nSP 800-47, organizations that own and operate connected systems should\nestablish an MOU/A (or equivalent document) that defines the responsibilities of\nboth parties in establishing, operating, and securing the interconnection. More\nspecifically, the MOU/A defines the purpose of the interconnection; identifies\nrelevant authorities; specifies the responsibilities of both organizations; and\ndefines the terms of agreement. DLA did not establish MOU/As with the\nServices that would allow the BSM-E (FAS) Base Level system to reside and\noperate on their local area networks. Additionally, the BSM-E (FAS) Base Level\nSupport Application Environment Description contained in the SSAA does not\ncomply with DoD 8510.1-M, paragraph C3.3.3.5. (the paragraph C.3.3.5.\nreferenced in the DLA response does not exist and may be a typo), which states\nthat a type accreditation SSAA should define the intended operating environment\nas well as any operating procedures required for the type accredited system. The\nBSM-E (FAS) Base Level Support Application SSAA does not specifically state\nthat a screen lock function should be installed on every workstation that runs\nBSM-E (FAS). The DoD 8510.1-M states that the program manager, user\nrepresentative, and information system security officer should ensure that the\nproper security operating procedures, configuration guidance, and training is\ndelivered with the system. The Information Operations Directorate, Fort Belvoir\n(J6F), did not take steps to define proper security operating procedures; did not\nprovide proper configuration for the BSM-E (FAS); and did not administer\nsecurity training to the Base Level users. Further, DoD 8510.1-M requires the\ntype accreditation SSAA be shipped to each prospective installation site with the\nintention of the system SSAA being included in the site SSAA; however, there\nwas no evidence that the BSM-E (FAS) SSAA was included in the Base Level\nsite SSAA at any of the visited military sites. We request that DLA provide\nadditional comments to the report.\n\n      b. Evaluating network settings at Base Level sites to ensure that only\ncurrent users have access to Business Systems Modernization-Energy (Fuels\nAutomated System).\n\nManagement Comments. The DLA CIO nonconcurred and stated that they have\nincluded the appropriate IA operational requirements within the BSM-E (FAS)\nBase Level Support Application SSAA in accordance with the provisions of DoD\n8510.1-M. The SSAA supporting Type Accreditation eliminates the need for a\nseparate MOU/A between DLA and BSM-E (FAS) Base Level user sites. The\nprovisions within the BSM-E (FAS) Base Level Support Application SSAA are\nbinding on all organizations where the application is installed and operated.\nMilitary Service organizations can opt to separately accredit the BSM-E (FAS)\nBase Level Support Application if they choose not to comply with the Type\nAccreditation requirements.\n\n\n                                   20\n\x0cAudit Response. The DLA CIO comments were nonresponsive. See Audit\nResponse to Recommendation 3.a. above. Additionally, the BSM-E (FAS) Base\nLevel Support Application SSAA does not define responsibilities for evaluating\nnetwork settings at Base Level sites to ensure that only current users have access\nto BSM-E (FAS). We request that DLA provide additional comments to the\nreport.\n\n      c. Creating a formal policy for the removal of inactive accounts after\n30 days of inactivity.\n\nManagement Comments. The DLA CIO nonconcurred and stated that they have\nincluded the appropriate IA operational requirements (to include account control)\nwithin the BSM-E (FAS) Base Level Support Application SSAA in accordance\nwith the provisions of DoD 8510.1-M. The SSAA supporting Type Accreditation\neliminates the need for a separate MOU/A between DLA and BSM-E (FAS) Base\nLevel user sites. The provisions within the BSM-E (FAS) Base Level Support\nApplication SSAA are binding on all organizations where the application is\ninstalled and operated. Military Service organizations can opt to separately\naccredit the BSM-E (FAS) Base Level Support Application if they choose not to\ncomply with the Type Accreditation requirements.\n\nAudit Response. The DLA CIO comments were nonresponsive. See Audit\nResponse to Recommendation 3.a. above. Additionally, the BSM-E (FAS) Base\nLevel Support Application SSAA does not contain a policy for the removal of\ninactive accounts after 30 days of inactivity. We request that DLA provide\nadditional comments to the report.\n\n       d. Requiring Base Level users to ensure that Business Systems\nModernization-Energy (Fuels Automated System) software is stored at a\nlocation separate from the operating location and in an appropriate\ncontainer.\n\nManagement Comments. The DLA CIO nonconcurred and stated that they have\nincluded the appropriate IA operational requirements (to include continuity of\noperations) within the BSM-E (FAS) Base Level Support Application SSAA in\naccordance with the provisions of DoD 8510.1-M. The SSAA supporting Type\nAccreditation eliminates the need for a separate MOU/A between DLA and\nBSM-E (FAS) Base Level user sites. The provisions within the BSM-E (FAS)\nBase Level Support Application SSAA are binding on all organizations where the\napplication is installed and operated. Military Service organization can opt to\nseparately accredit the BSM-E (FAS) Base Level Support Application if they\nchoose not to comply with the Type Accreditation requirements.\n\nAudit Response. The DLA CIO comments were nonresponsive. See Audit\nResponse to Recommendation 3.a. above. Additionally, the BSM-E (FAS) Base\nLevel Support Application SSAA does not require Base Level users to ensure the\nBSM-E (FAS) backup software is stored at a location separate from the operating\nlocation and in an appropriate container. We request that DLA provide additional\ncomments to the report.\n\n\n\n\n                                    21\n\x0c       e. Ensuring Business Systems Modernization-Energy (Fuels\nAutomated System) users are provided annual security awareness training\nconsistent with the requirements in DoD Directive 8570.1.\n\nManagement Comments. The DLA CIO nonconcurred and stated that the\nMilitary Service personnel at BSM-E (FAS) Base Level user sites should have\nreceived security awareness training as a prerequisite to gaining local area\nnetwork access, as required by DoDI 8500.2. DLA is responsible for and\nincludes training on the application security controls as part of its normal BSM-E\n(FAS) Base Level Support Application user training.\n\nAudit Response. The DLA CIO comments were nonresponsive. According to\nDoD 8510.1-M, for a type accreditation, the DAA should include a statement in\nthe accreditation memorandum that declares the system is granted a type\naccreditation and the operator must assume the responsibility to monitor the\nenvironment for compliance with the environment as described in the\naccreditation documentation. DLA did not include a similar statement in the\nBSM-E (FAS) Base Level Support Application SSAA. Further, DLA should\nensure that the proper security operating procedures, configuration guidance, and\ntraining is delivered with the system to the Base Level sites, as required by DoD\n8510.1-M. DLA did not provide training guidance to the Base Level operating\nsites for granting Base Level BSM-E (FAS) users access to the system. We\nrequest that DLA provide additional comments on the report.\n\n       f. Tracking users with significant security responsibilities and ensure\nthose users are being properly trained consistent with the requirements in\nDoD Directive 8570.1.\n\nManagement Comments. The DLA CIO nonconcurred and stated that the\nMilitary Service personnel at BSM-E (FAS) Base Level user sites should have\nreceived security awareness training as a prerequisite to gaining local area\nnetwork access, as required by DoDI 8500.2. DLA is responsible for and\nincludes training on the application security controls as part of its normal BSM-E\n(FAS) Base Level Support Application user training.\n\nAudit Response. The DLA CIO comments were nonresponsive. According to\nDoD 8510.1-M, for a type accreditation, the DAA should include a statement in\nthe accreditation memorandum that declares the system is granted a type\naccreditation and the operator must assume the responsibility to monitor the\nenvironment for compliance with the environment as described in the\naccreditation documentation. DLA did not include a similar statement in the\nBSM-E (FAS) Base Level Support Application SSAA. Further, DLA should\nensure that the proper security operating procedures, configuration guidance, and\ntraining is delivered with the system to the Base Level sites, as required by DoD\n8510.1-M. DLA did not provide training guidance to the Base Level operating\nsites for granting Base Level BSM-E (FAS) users access to the system. We\nrequest that DLA provide additional comments on the report.\n\n       g. Ensuring backup and recovery procedures exist and are being\nfollowed at the Business Systems Modernization-Energy (Fuels Automated\nSystem) Base Level.\n\n\n                                    22\n\x0cManagement Comments. The DLA CIO nonconcurred and stated that they have\nincluded the appropriate IA operational requirements (to include continuity of\noperations) within the BSM-E (FAS) Base Level Support Application SSAA in\naccordance with the provisions of DoD 8510.1-M. The SSAA supporting Type\nAccreditation eliminates the need for a separate MOU/A between DLA and\nBSM-E (FAS) Base Level user sites. The provisions within the BSM-E (FAS)\nBase Level Support Application SSAA are binding on all organizations where the\napplication is installed and operated. Military Service organization can opt to\nseparately accredit the BSM-E (FAS) Base Level Support Application if they\nchoose not to comply with the Type Accreditation requirements.\n\nAudit Response. The DLA CIO comments were nonresponsive. See Audit\nResponse to Recommendation 3.a. above. Additionally, the BSM-E (FAS) Base\nLevel Support Application SSAA does not require BSM-E (FAS) Base Level\nusers to ensure backup and recovery procedures exist and are being followed at\nthe BSM-E (FAS) Base Level operating sites. We request that DLA provide\nadditional comments to the report.\n\n\n\n\n                                   23\n\x0cAppendix A. Scope and Methodology\n   We searched the DoD Information Technology Registry in March 2005 for DLA\n   information systems designated as Mission Critical and MAC I or II. We selected\n   the BSM-E (FAS), a Mission Critical, MAC II system, for review.\n\n   We assessed the information security operational controls for the BSM-E (FAS).\n   We visited and interviewed personnel at the DLA Headquarters, Fort Belvoir,\n   Virginia; Charleston Air Force Base, Charleston, South Carolina; Beaufort\n   Marine Corps Air Station, Beaufort, South Carolina; Fort Hood Army Base,\n   Killeen, Texas; the Defense Supply Center Richmond, Richmond, Virginia; and\n   the Washington Navy Yard, Washington, D.C. Throughout the site visits and\n   interviews, we evaluated the certification and accreditation for BSM-E (FAS), the\n   system security plan, risk assessment, user access, security awareness and\n   training, and continuity of operations and disaster recovery of BSM-E (FAS).\n\n   We reviewed Federal laws, OMB guidance, NIST guidance, and DoD Directives,\n   Instructions, and Memoranda. We also reviewed the BSM-E (FAS) SSAA dated\n   April 27, 2005; the BSM-E (FAS) COOP dated October 2004; the DESC Interim\n   Procedures for Retention and Backup of Base Level Fuels Data, dated\n   September 12, 2005; the DESC Interim Procedures for Requesting Access to\n   DESC Automated Information System Applications, dated July 1, 2005; and the\n   DLA One Book Chapters discussing IT COOP Planning; IA Rules of Behavior\n   Process; IA Operational Controls; and IA Management Controls.\n\n   We performed this audit from April 2005 through January 2006 in accordance\n   with generally accepted government auditing standards.\n\n   Use of Computer-Processed Data. We did not use computer-processed data to\n   perform this audit.\n\n   Government Accountability Office High-Risk Area. The Government\n   Accountability Office has identified several high-risk areas in DoD. This report\n   provides coverage of the Protecting the Federal Government\xe2\x80\x99s Information-\n   Sharing Mechanisms and the Nation\xe2\x80\x99s Critical Infrastructures high-risk area.\n\n\n\n\n                                       24\n\x0cAppendix B. Prior Coverage\n      During the last five years, the DoD IG and Government Accountability Office\n      have issued eight reports related to information security operational controls\n      within the DoD and DLA. Unrestricted Government Accountability Office\n      reports can be accessed over the Internet at http://www.gao.gov. Unrestricted\n      DoD IG reports can be accessed at http://www.dodig.mil/audit/reports.\n\nGAO\n      GAO Report No. GAO-06-31, \xe2\x80\x9cInformation Security: The Defense Logistics\n      Agency Needs to Fully Implement Its Security Program,\xe2\x80\x9d October 7, 2005\n\nDoD IG\n      DoD IG Report No. D-2006-042, \xe2\x80\x9cSecurity Status for Systems Reported in DoD\n      Information Technology Databases,\xe2\x80\x9d December 20, 2005\n\n      DoD IG Report No. D-2005-110, \xe2\x80\x9cSummary of Information Security Weaknesses\n      Reported by Major Oversight Organizations from August 1, 2004, through\n      July 31, 2005,\xe2\x80\x9d September 23, 2005\n\n      DoD IG Report No. D-2005-099, \xe2\x80\x9cStatus of Selected DoD Policies on\n      Information Technology Governance,\xe2\x80\x9d August 19, 2005\n\n      DoD IG Report No. D-2005-094, \xe2\x80\x9cProposed DoD Information Assurance\n      Certification and Accreditation Process,\xe2\x80\x9d July 21, 2005\n\n      DoD IG Report No. D-2005-054, \xe2\x80\x9cAudit of the DoD Information Technology\n      Security Certification and Accreditation Process,\xe2\x80\x9d April 28, 2005\n      DoD IG Report No. D-2005-029, \xe2\x80\x9cManagement of Information Technology\n      Resources Within DoD,\xe2\x80\x9d January 27, 2005\n\n      DoD IG Report No. D-2005-025, \xe2\x80\x9cDoD FY 2004 Implementation of the Federal\n      Information Security Management Act for Information Technology Training and\n      Awareness,\xe2\x80\x9d December 17, 2004\n\n\n\n\n                                          25\n\x0cAppendix C. Criteria\n\nFederal Guidance\n    Public Law 100-235, \xe2\x80\x9cComputer Security Act of 1987.\xe2\x80\x9d This law requires\n    each Federal Agency to identify each computer system that contains sensitive\n    information. In addition, the law requires agencies to develop a security plan for\n    each computer system. Each Federal agency shall provide for the mandatory\n    periodic training in computer security awareness and accepted computer security\n    practice of all employees who are involved with each Federal computer system of\n    that agency.\n\n    OMB Circular No. A-130, Appendix III, \xe2\x80\x9cSecurity of Federal Automated\n    Information Resources,\xe2\x80\x9d November 2000. Appendix III of OMB\n    Circular A-130 states that agencies shall implement and maintain an automated\n    information security program to assure that adequate security is provided for all\n    agency information collected, processed, transmitted, stored, or disseminated in\n    general support systems and major applications. The information security\n    program helps to ensure controls were adequate, properly implemented, and\n    applied consistently across the entity and information security responsibilities\n    were clearly understood.\n\n    NIST Guidance. FISMA amends section 20 of the NIST Act (15 United States\n    Code 278g-3) and, among other things, requires NIST to have the mission of\n    providing adequate information security for all agency operations and assets;\n    however, such standards and guidelines shall not apply to national security\n    systems. The standards and guidelines include, at a minimum, standards for\n    categorizing agency information and information systems and minimum\n    information security requirements for information and information systems in\n    each area.\n\n            NIST 800-26. NIST Special Publication 800-26, \xe2\x80\x9cSecurity Self-\n    Assessment Guide for IT Systems,\xe2\x80\x9d November 2001, builds on the Federal IT\n    Security Assessment Framework developed by NIST for the Federal Chief\n    Information Officer (CIO) Council. The Framework establishes a standardized\n    measurement of security status and criteria that agencies could use to determine if\n    security measures were adequately implemented. Additionally, NIST Special\n    Publication 800-26 provides guidance on applying the Framework by identifying\n    several control areas, such as those pertaining to system security plans, access\n    controls, and contingency planning.\n\n           NIST 800-34. NIST Special Publication 800-34, \xe2\x80\x9cContingency Planning\n    Guide for Information Technology Systems,\xe2\x80\x9d June 2002, provides instructions,\n    recommendations, and considerations for government IT contingency planning.\n    According to this guide, contingency planning involves establishing thorough\n    plans and procedures to enable a system to be recovered quickly and effectively\n    following a service disruption or disaster. Contingency planning generally\n    includes restoring IT operations at an alternate location; or recovering IT\n\n\n                                        26\n\x0c    operations using alternate equipment; or performing some or all of the affected\n    business processes using non-IT (manual) means. A COOP involves restoring an\n    organization\xe2\x80\x99s essential elements at an alternate site and performing those\n    functions for up to 30 days before returning to normal operations. The IT\n    Contingency Planning Process contains seven steps: develop the contingency\n    planning policy statement; conduct the business impact analysis; identify\n    preventative controls; develop recovery strategies; develop an IT contingency\n    plan; plan testing, training, and exercises; and plan maintenance.\n\n            NIST 800-47. NIST Special Publication 800-47, \xe2\x80\x9cSecurity Guide for\n    Interconnecting Information Technology Systems,\xe2\x80\x9d August 2002, provides a\n    \xe2\x80\x9clife-cycle management\xe2\x80\x9d approach for interconnecting IT systems, with an\n    emphasis on security. The approach includes four phases: planning, establishing,\n    maintaining, and disconnecting the interconnection. The document describes\n    various benefits of interconnecting IT systems, identifies the basic components of\n    an interconnection, identifies methods and levels of interconnectivity, and\n    discusses potential security risks associated with an interconnection. The\n    document also contains guides and samples for developing an Interconnection\n    Security Agreement, MOU/A and a System Implementation Plan. The MOU/A\n    defines the purpose of the interconnection, identifies relevant authorities,\n    specifies responsibilities of both organizations, and defines the terms of\n    agreement.\n\n            NIST 800-53. NIST Special Publication 800-53, \xe2\x80\x9cRecommended\n    Security Controls for Federal Information Systems,\xe2\x80\x9d February 2005, provides\n    guidelines for selecting and specifying security controls for information systems\n    supporting the executive agencies of the federal government and is intended to\n    provide guidance until the publication of Federal Information Processing\n    Standards 200, \xe2\x80\x9cMinimum Security Controls for Federal Information Systems,\xe2\x80\x9d in\n    December 2005. The minimum assurance requirements for these security\n    controls are grouped by a security control baseline; low, moderate, and high. In\n    addition, this document contains a security control catalog which outlines the\n    controls, supplemental guidance, and control enhancements for families of\n    security controls. The families of security controls which are covered include:\n    access controls; awareness and training; certification, accreditation, and security\n    assessments; configuration management; contingency planning; identification and\n    authentication; incident response; physical and environmental protection;\n    planning; personnel security; risk assessment; system and communications\n    protection.\n\n\nDoD Guidance\n    DoD Instruction 5200.40, \xe2\x80\x9cDoD IT and Security Certification and\n    Accreditation Process, December 30, 1997. This instruction implements policy,\n    assigns responsibilities, and prescribes procedures under DoD Directive 5200.28,\n    \xe2\x80\x9cSecurity Requirements for Automated Information Systems,\xe2\x80\x9d March 21, 1988,\n    for C&A of IT, including automated information systems, networks, and sites in\n    the DoD. It also creates DoD 8510.1, "DoD IT and Security Certification and\n    Accreditation Process Application Manual," July 2000, for security C&A of\n\n\n                                        27\n\x0cunclassified and classified IT as well as stresses the importance of a life-cycle\nmanagement approach to the C&A and reaccreditation of DoD IT.\n\nDoD 8510.1-Manual, \xe2\x80\x9cDoD IT and Security Certification and Accreditation\nProcess Application Manual,\xe2\x80\x9d July 31, 2000. This manual is issued under the\nauthority of DoD Instruction 5200.40, \xe2\x80\x9cDoD IT and Security Certification and\nAccreditation Process,\xe2\x80\x9d December 30, 1997. The DoD IT and Security\nCertification and Accreditation Process establishes a standard process, set of\nactivities, general tasks, and a management structure to certify and accredit\ninformation systems that will maintain the information assurance and security\nposture of the Defense Information Infrastructure. This manual provides\nimplementation guidance to standardize the certification and accreditation process\nthroughout DoD and is mandatory for use by all DoD Components. It breaks the\nprocess into 4 phases. Phases 2, 3, and 4 are related to security and contingency\nplans.\n\nDoD Directive 8500.1, \xe2\x80\x9cInformation Assurance (IA),\xe2\x80\x9d October 24, 2002. This\ndirective establishes policy and assigns responsibilities to achieve DoD IA. This\ndirective requires all DoD information systems to maintain an appropriate level of\nconfidentiality, integrity, authentication, non-repudiation and availability. DoD\nDirective 8500.1 requires adequate training of all personnel authorized access to\nDoD information systems and states that the minimum requirement for DoD\ninformation access should be a properly administered and protected individual\nidentifier and password.\n\nDoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance (IA) Implementation,\xe2\x80\x9d\nFebruary 6, 2003. This Instruction implements policies and procedures and\nassigns responsibilities for applying integrated, layered protection for DoD\ninformation systems and networks. DoD Instruction 8500.2 requires that all DoD\ninformation systems operate effectively and provide appropriate confidentiality,\nintegrity, and availability. The Component Head should also ensure that IA\nawareness, training, education, and professionalization are provided to all military\nand civilian personnel, including contractors, commensurate with their respective\nresponsibilities for developing, using, operating, administering, maintaining, and\nretiring DoD information systems. The Assistant Secretary of Defense for\nCommand, Control, Communications, and Intelligence, as the DoD CIO, shall\nestablish a DoD core curriculum for IA training and awareness and provide\noversight of DoD IA education, training, and awareness activities.\n\nDoD Instruction 8500.2 requires the use of an individual identifier and password\nto gain access to a DoD information system. Registration to receive a user ID and\npassword includes authorization by a supervisor and is done in person before a\ndesignated registration authority. Also required as part of MAC II system\ncontrols for integrity and availability, is a set of rules that describe the IA\noperations of the DoD information system and clearly delineate IA\nresponsibilities and expected behavior of all personnel, including the\nconsequences of inconsistent behavior or non-compliance. A workstation screen-\nlock functionality should also be implemented at each workstation as part of these\ncontrols.\n\n\n\n\n                                     28\n\x0c    DoD Directive 8570.1, \xe2\x80\x9cInformation Assurance (IA) Training, Certification,\n    and Workforce Management,\xe2\x80\x9d August 15, 2004. This directive establishes\n    policy and assigns responsibilities in accordance with IA in the DoD. DoD\n    Directive 8570.1 requires that all employees with IA responsibilities be identified,\n    tracked, and managed so that trained individuals are working at each function\n    level. All authorized users of DoD Information Systems shall receive initial IA\n    awareness orientation as a condition of access and thereafter must complete\n    annual IA refresher awareness. Privileged users and IA managers shall be fully\n    qualified, trained, and certified to DoD baseline requirements to perform their IA\n    duties.\n\n    DoD Directive 3020.26, \xe2\x80\x9cDefense Continuity Program,\xe2\x80\x9d September 8, 2004.\n    This directive establishes the Defense Continuity Program, revises continuity\n    policies, and assigns responsibilities to high-ranking officials for developing and\n    maintaining the Defense Continuity Program. According to this Directive, the\n    DoD shall have a comprehensive and effective Defense Continuity Program that\n    ensures DoD Component mission essential functions continue under all\n    circumstances. Also, the performance of mission essential functions in a\n    continuity threat or event shall be the basis for continuity planning, preparation,\n    and execution. This directive orders the Head of the DoD Components to\n    develop, coordinate, and maintain continuity plans and to update and reissue\n    plans every two years. Also, the Head of the DoD Components should test and\n    exercise continuity plans at least annually, or otherwise as directed; identify\n    relocation sites or platforms for use during continuity threats or events; and\n    provide for the identification, storage, protection, and availability for use at\n    relocation sites, the vital records, materiel, and databases required to execute\n    mission essential functions.\n\n\nDLA Guidance\n    DLA Directive 5025.30, The DLA One Book. The DLA One Book Chapters\n    were developed as a knowledge sharing single authorized repository for agency\n    policies, processes, and procedures. The intent of the IA Operational Controls\n    and IA Management Controls chapters of the DLA One Book is to establish the\n    IA policy, requirements, and processes to implement, manage, and sustain an\n    effective DLA IA Program. The DLA IT COOP Planning Chapter requires each\n    DLA J6 Field Site to: perform IT COOP planning, minimize risk of losing\n    processing capability, and ensure they have the ability to recover following loss\n    of operational capability. In addition, it is DLA policy that all persons requiring\n    access to DLA IT systems read, understand, and formally acknowledge the DLA\n    IA Rules of Behavior prior to being granted initial IT system access or prior to a\n    change in IT system access privileges.\n\n    DLA Interim Procedures. The DESC Interim Procedures for Retention and\n    Backup of Base Level Fuels Data provides data backup procedures, general\n    procedures for archiving and restoring data files, and conforming electronic data\n    storage and retention procedures to Federal and DoD policy guidelines and\n    National Archive Standards. Additionally, the Interim Procedures for Requesting\n    Access to DESC Automated Information System Applications provide instruction\n\n\n                                         29\n\x0cto personnel requiring access to any DESC Automated Information System\nApplication by submitting a requirement for system access.\n\n\n\n\n                                 30\n\x0cAppendix D. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\n  Deputy Under Secretary of Defense (Business Transformation)\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n  Deputy Under Secretary of Defense (Financial Management)\nAssistant Secretary of Defense for Networks and Information Integration/DoD Chief\n  Information Officer\nChief Information Officer, Office of the Secretary of Defense\n\nJoint Staff\nDirector, Joint Staff\nChief Information Officer, Joint Staff\n\nDepartment of the Army\nChief Information Officer, Department of the Army\nAuditor General, Department of the Army\n\nDepartment of the Navy\nChief Information Officer, Department of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nChief Information Officer, Department of the Air Force\nAuditor General, Department of the Air Force\n\n\n\n\n                                          31\n\x0cUnified Commands\nChief Information Officer, U.S. Central Command\nChief Information Officer, U.S. European Command\nChief Information Officer, U.S. Joint Forces Command\nChief Information Officer, U.S. Northern Command\nChief Information Officer, U.S. Pacific Command\nChief Information Officer, U.S. Southern Command\nChief Information Officer, U.S. Special Operations Command\nChief Information Officer, U.S. Strategic Command\nChief Information Officer, U.S. Transportation Command\n\nOther Defense Organizations\nDirector, Defense Logistics Agency\nChief Information Officer, American Forces Information Service\nChief Information Officer, Defense Advanced Research Projects Agency\nChief Information Officer, Defense Commissary Agency\nChief Information Officer, Defense Contract Audit Agency\nChief Information Officer, Defense Contract Management Agency\nChief Information Officer, Defense Finance and Accounting Agency\nChief Information Officer, Defense Human Resource Activity\nChief Information Officer, Defense Information Systems Agency\nChief Information Officer, Defense Logistics Agency\nChief Information Officer, Defense Security Cooperation Agency\nChief Information Officer, Defense Security Service\nChief Information Officer, Defense Technical Information Center\nChief Information Officer, Defense Technology Security Administration\nChief Information Officer, Defense Threat Reduction Agency\nChief Information Officer, Department of Defense Education Activity\nChief Information Officer, Department of Defense Inspector General\nChief Information Officer, DoD Test Resources Management Center\nChief Information Officer, Missile Defense Agency\nChief Information Officer, Pentagon Force Protection Agency\nChief Information Officer, TRICARE Management Agency\nChief Information Officer, U.S. Mission North Atlantic Treaty Organization\nChief Information Officer, Washington Headquarters Service\n\nNon-Defense Federal Organization\nOffice of Management and Budget\n\n\n\n\n                                          32\n\x0cCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Homeland Security and Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency and Financial Management, Committee\n  on Government Reform\nHouse Subcommittee on National Security, Emerging Threats, and International\n  Relations, Committee on Government Reform\nHouse Subcommittee on Technology, Information Policy, Intergovernmental Relations,\n  and the Census, Committee on Government Reform\n\n\n\n\n                                        33\n\x0c\x0cDefense Logistics Agency Comments\n\n\n\n\n                     35\n\x0c36\n\x0c37\n\x0c38\n\x0c39\n\x0c40\n\x0c41\n\x0c42\n\x0cTeam Members\nThe Department of Defense Office of the Deputy Inspector General for Auditing,\nReadiness and Operations Support prepared this report. Personnel of the\nDepartment of Defense Office of Inspector General who contributed to the report\nare listed below.\n\nKathryn M. Truex\nSarah A. Davis\nChristopher M. Scrabis\nZachary M. Williams\n\x0c'